LAB#14 2013-TE-104: Wireshark Introduction Objective
LAB#14 2013-TE-104: Wireshark Introduction Objective
LAB#14 2013-TE-104: Wireshark Introduction Objective
2013-TE-104
LAB # 14
WIRESHARK INTRODUCTION
OBJECTIVE
Learn how to capture packets and analyzing various fields of packets by using
Wireshark software
THEORY
Ones understanding of network protocols can often be greatly deepened by seeing
protocols in action and by playing around with protocols observing the
sequence of messages exchanged between two protocol entities, delving down into
the details of protocol operation, and causing protocols to perform certain actions
and then observing these actions and their consequences. This can be done in
simulated scenarios or in a real network environment such as the Internet. In the
Wireshark labs youll be doing in this course, youll be running various network
applications in different scenarios using your own computer (or you can borrow a
friends; let me know if you dont have access to a computer where you can
install/run Wireshark). Youll observe the network protocols in your computer in
action, interacting and exchanging messages with protocol entities executing
elsewhere in the Internet. Thus, you and your computer will be an integral part of
these live labs. Youll observe, and youll learn, by doing.
In this first Wireshark lab, youll get acquainted with Wireshark, and make some
simple packet captures and observations.
The basic tool for observing the messages exchanged between executing protocol
entities is called a packet sniffer. As the name suggests, a packet sniffer captures
(sniffs) messages being sent/received from/by your computer; it will also typically
store and/or display the contents of the various protocol fields in these captured
messages. A packet sniffer itself is passive. It observes messages being sent and
received by applications and protocols running on your computer, but never sends
packets itself. Similarly, received packets are never explicitly addressed to the
packet sniffer. Instead, a packet sniffer receives a copy of packets that are
sent/received from/by application and protocols executing on your machine.
Figure 1 shows the structure of a packet sniffer. At the right of Figure 1 are the
protocols (in this case, Internet protocols) and applications (such as a web browser
or ftp client) that normally run on your computer. The packet sniffer, shown within
the dashed rectangle in Figure 1 is an addition to the usual software in your
computer, and consists of two parts. The packet capture library receives a copy
of every link-layer frame that is sent from or received by your computer. Recall from
the discussion from section 1.5 in the text (Figure 1.241) that messages exchanged
by higher layer protocols such as HTTP, FTP, TCP, UDP, DNS, or IP all are eventually
encapsulated in link-layer frames that are transmitted over physical media such as
an Ethernet cable. In Figure 1, the assumed physical media is an Ethernet, and so all
upper-layer protocols are eventually encapsulated within an Ethernet frame.
LAB#14
2013-TE-104
Capturing all link-layer frames thus gives you all messages sent/received from/by all
protocols and applications executing in your computer.
The second component of a packet sniffer is the packet analyzer, which displays
thecontents of all fields within a protocol message. In order to do so, the packet
analyzermust understand the structure of all messages exchanged by protocols.
For example,suppose we are interested in displaying the various fields in messages
exchanged by theHTTP protocol in Figure 1. The packet analyzer understands the
format of Ethernetframes, and so can identify the IP datagram within an Ethernet
frame. It also understandsthe IP datagram format, so that it can extract the TCP
segment within the IP datagram.
Finally, it understands the TCP segment structure, so it can extract the HTTP
messagecontained in the TCP segment. Finally, it understands the HTTP protocol
and so, forexample, knows that the first bytes of an HTTP message will contain the
string GET,POST, or HEAD,.
We will be using the Wireshark packet sniffer [http://www.wireshark.org/] for these
labs,allowing us to display the contents of messages being sent/received from/by
protocols atdifferent levels of the protocol stack. (Technically speaking, Wireshark is
a packetanalyzer that uses a packet capture library in your computer). Wireshark is
a free networkprotocol analyzer that runs on Windows, Linux/Unix, and Mac
computers. Its an idealpacket analyzer for our labs it is stable, has a large user
base
and
well-documentedsupport
that
includes
a
user-guide
(http://www.wireshark.org/docs/wsug_html_chunked/),
man
pages
(http://www.wireshark.org/docs/man-pages/), and a detailed FAQ
(http://www.wireshark.org/faq.html), rich functionality that includes the capability to
analyze hundreds of protocols, and a well-designed user interface. It operates
incomputers using Ethernet, serial (PPP and SLIP), 802.11 wireless LANs, and many
otherlink-layer technologies (if the OS on which it's running allows Wireshark to do
so).
LAB#14
2013-TE-104
Getting Wireshark
In order to run Wireshark, you will need to have access to a computer that supports
both Wireshark and the libpcapor WinPCappacket capture library. The
libpcapsoftware willbe installed for you, if it is not installed within your operating
system, when you installWireshark. Seehttp://www.wireshark.org/download.html for
a list of supportedoperating systems and download sites
Download and install the Wireshark software:
Go to http://www.wireshark.org/download.html and download and install
theWireshark binary for your computer.
The Wireshark FAQ has a number of helpful hints and interesting tidbits of
information,particularly if you have trouble installing or running Wireshark.
Running Wireshark
When you run the Wireshark program, youll get a startup screen, as shown below:
Take a look at the upper left hand side of the screen youll see an Interface list.
This is the list of network interfaces on your computer. Once you choose an
interface, Wireshark will capture all packets on that interface. In the example above,
there is an
Ethernet interface (Gigabit network Connection) and a wireless interface
(Microsoft).
If you click on one of these interfaces to start packet capture (i.e., for Wireshark to
begin capturing all packets being sent to/from that interface), a screen like the one
below will be displayed, showing information about the packets being captured.
Once you start packet capture, you can stop it by using the Capture pull down menu
and selecting Stop.
LAB#14
2013-TE-104
LAB#14
2013-TE-104
expanded orminimized by clicking on the plus minus boxes to the left of the
Ethernet frame orIP datagram line in the packet details window. If the packet has
been carried overTCP or UDP, TCP or UDP details will also be displayed, which
can similarly beexpanded or minimized. Finally, details about the highest-level
protocol that sentor received this packet are also provided.
4. Youll see a list of the interfaces on your computer as well as a count of the
packets that have been observed on that interface so far. Click on Start for
theinterface on which you want to begin packet capture (in the case, the
Gigabitnetwork Connection). Packet capture will now begin - Wireshark is
nowcapturing all packets being sent/received from/by your computer!
5. Once you begin packet capture, a window similar to that shown in Figure 3
willappear. This window shows the packets being captured. By selecting
Capturepulldown menu and selecting Stop, you can stop packet capture. But
dont stoppacket capture yet. Lets capture some interesting packets first. To do
so, wellneed to generate some network traffic. Lets do so using a web browser,
whichwill use the HTTP protocol that we will study in detail in class to
downloadcontent from a website.
LAB#14
2013-TE-104
6. While Wireshark is running, enter the URL:http://gaia.cs.umass.edu/wiresharklabs/INTRO-wireshark-file1.htmland have that page displayed in your browser. In
order to display this page, yourbrowser will contact the HTTP server at
gaia.cs.umass.edu and exchange HTTPmessages with the server in order to
download this page. The Ethernet frames containing these HTTP messages (as
well as all other frames passing through your Ethernet adapter) will be captured
byWireshark.
7. After your browser has displayed the INTRO-wireshark-file1.html page (it is
asimple one line of congratulations), stop Wireshark packet capture by
selectingstop in the Wireshark capture window. The main Wireshark window
should nowlook similar to Figure 3. You now have live packet data that contains
all protocolmessages exchanged between your computer and other network
entities! TheHTTP message exchanges with the gaia.cs.umass.edu web server
should appearsomewhere in the listing of packets captured. But there will be
many other typesof packets displayed as well (see, e.g., the many different
protocol types shown inthe Protocol column in Figure 3). Even though the only
action you took was todownload a web page, there were evidently many other
protocols running on yourcomputer that are unseen by the user. Well learn much
more about theseprotocols as we progress through the text! For now, you should
just be aware thatthere is often much more going on than meets the eye!
8. Type in http (without the quotes, and in lower case all protocol names are
inlower case in Wireshark) into the display filter specification window at the top
ofthe main Wireshark window. Then select Apply (to the right of where you
enteredhttp). This will cause only HTTP message to be displayed in the packetlistingwindow.
9. Find the HTTP GET message that was sent from your computer to
thegaia.cs.umass.edu HTTP server. (Look for an HTTP GET message in the
listingof captured packets portion of the Wireshark window (see Figure 3) that
showsGET followed by the gaia.cs.umass.edu URL that you entered. When
youselect the HTTP GET message, the Ethernet frame, IP datagram, TCP
segment,and HTTP message header information will be displayed in the packetheaderwindow2. By clicking on + and - right-pointing and down-pointing
arrowheadsto the left side of the packet details window, minimize the amount of
Frame,Ethernet, Internet Protocol, and Transmission Control Protocol
informationdisplayed. Maximize the amount information displayed about the
HTTP protocol.Your Wireshark display should now look roughly as shown in Figure
5. (Note, inparticular, the minimized amount of protocol information for all
protocols exceptHTTP, and the maximized amount of protocol information for
HTTP in thepacket-header window).
10.Exit Wireshark
Congratulations! Youve now completed the first lab.
LAB#14
Wireshark:
2013-TE-104
LAB#14
2013-TE-104
LAB#14
2013-TE-104
ASSIGNMENT:
1. List 3 different protocols that appear in the protocol column in
2. How long did it take from when the HTTP GET message was sent
until the HTTP OK reply was received? (By default, the value of
the Time column in the packet listing window is the amount of
time, in seconds, since Wireshark tracing began. To display the
Time field in time-of-day format, select the Wireshark View pull
down menu, then select Time Display Format, then select Timeof-day.)
Time = Packet sent Packet received
= 19.331657 19.225443
Time = 0.106214 sec
LAB#14
2013-TE-104